Open for Voting
over 1 year ago

Extract of Log / Trap Messages (VarBinds) to Trigger Orion Alerts

We need to be able to extract VarBinds from traps and alert on them (or regex patterns in syslogs).

For Example, BGP Peer down OID

Peer address is in varbind

Local address is in varbind

The problem is that you cannot have 2 instances/alerts of the same Log Anayser rule hit. So if "RouterA" has Peer1 go down, it triggers this. 

5 hours later if "RouterA" has "Peer2" go down, it triggers this again (with a different VarBind). Same LA rule, Same Orion Alert, so nothing re-triggers as Orion thinks its already active. 

Similarly, Orion can only display the ENTIRE trap message using the $(loganalyster.Macro). Thats no good, as we get 5 lines of garbage when all I want to view is the single varbind thats important to me - the peer address. 

Until Varbinds can be individually alerted on, and extracted into the orion message, the Alerting functionality of LA is useless for us. 

  • half of your request is now possible with 2020.2.5+. You can extract the varbinds so that you can construct an alert message from the varbinds. unfortunately the other half - where you want unique instances of alerts hit by the same condition but with different varbinds - ie nodename, or interface is not possible - so its still useless as from an incident management perspective 

  • This is definitely needed

  • This is definitely needed. Can't believe SW didn't include this feature when they were developing Log Analyzer.

  • Log Analyzer dev team,

    The feature ashleyh mentions is extremely important to us. When you say you are working on "sub string extraction" as a Log Analyzer feature, is this what you are referring to? 

    I'm trying to understand if this feature is in the pipeline, or if you have no current plans to implement this.



  • 98 percent of our alerting is generated from external systems sending messages into our main console via SNMP or Syslog. The legacy syslog and SNMP engine was working fine but it is scheduled to be retired in some future version so we moved all of that functionality off to a different product.